We show the weakness of several RSA signature schemes using redundancy (i.e. completing the message to be signed with some additional bits which are fixed or message-dependent), by exhibiting chosen-message attacks based on the multiplicative property of RSA signature function. Our attacks, which largely extend those of DeJonge and Chaum [DJC], make extensive use of an affine variant of Euclid's algorithm, due to Okamoto and Shiraishi [OS]. When the redundancy consists of appending any fixed bits to the message m to be signed (more generally when redundancy takes the form of an affine function of m), then our attack is valid if the redundancy is less than half the length of the public modulus. When the redundancy consists in appending to m the remainder of m modulo some fixed value (or, more generally, any function of this remainder), our attack is valid if the redundancy is less than half the length of the public modulus minus the length of the remainder. We successfully apply our attack to a scheme proposed for discussion inside ISO.
[1]
Tatsuski Okamoto,et al.
A Fast Signature Scheme Based on Quadratic Inequalities
,
1985,
1985 IEEE Symposium on Security and Privacy.
[2]
Adi Shamir,et al.
A method for obtaining digital signatures and public-key cryptosystems
,
1978,
CACM.
[3]
Jean-Jacques Quisquater,et al.
Precautions Taken Against Various Potential Attacks in ISO/IEC DIS 9796 "Digital Signature Scheme Giving Message Recovery"
,
1990,
EUROCRYPT.
[4]
David Chaum,et al.
Attacks on Some RSA Signatures
,
1985,
CRYPTO.
[5]
Mihir Bellare,et al.
The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin
,
1996,
EUROCRYPT.
[6]
Brigitte Vallée,et al.
Computation of Approximate L-th Roots Modulo n and Application to Cryptography
,
1988,
CRYPTO.